ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix(activity): Fix permission checks when rendering activities in background jobs

Browse Source 
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling
2024-01-29 09:10:47 +01:00
parent bfe2a9053f
commit 16078a3dd3
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/Activity/ActivityManager.php
View File

@@ -566,9 +566,9 @@ class ActivityManager {
];
}
public function canSeeCardActivity(int $cardId): bool {
public function canSeeCardActivity(int $cardId, string $userId): bool {
try {
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ, $userId);
$card = $this->cardMapper->find($cardId);
return $card->getDeletedAt() === 0;
} catch (NoPermissionException $e) {
@@ -576,9 +576,9 @@ class ActivityManager {
}
}
public function canSeeBoardActivity(int $boardId): bool {
public function canSeeBoardActivity(int $boardId, string $userId): bool {
try {
$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ);
$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ, $userId);
$board = $this->boardMapper->find($boardId);
return $board->getDeletedAt() === 0;
} catch (NoPermissionException $e) {

4
lib/Activity/DeckProvider.php
View File

@@ -111,7 +111,7 @@ class DeckProvider implements IProvider {
$event->setAuthor($author);
}
if ($event->getObjectType() === ActivityManager::DECK_OBJECT_BOARD) {
if (!$this->activityManager->canSeeBoardActivity($event->getObjectId())) {
if (!$this->activityManager->canSeeBoardActivity($event->getObjectId(), $event->getAffectedUser())) {
throw new \InvalidArgumentException();
}
if (isset($subjectParams['board']) && $event->getObjectName() === '') {
@@ -128,7 +128,7 @@ class DeckProvider implements IProvider {
}
if (isset($subjectParams['card']) && $event->getObjectType() === ActivityManager::DECK_OBJECT_CARD) {
if (!$this->activityManager->canSeeCardActivity($event->getObjectId())) {
if (!$this->activityManager->canSeeCardActivity($event->getObjectId(), $event->getAffectedUser())) {
throw new \InvalidArgumentException();
}
if ($event->getObjectName() === '') {